Tag Archives: security

I was attending a meetup, which ended up with a question on my mind ‘What is Obfuscation and what is the difference between it and Encryption’ So I came acrosss this post by Roger Knapp so thought of sharing it with my readers too
So what is the difference? Well let’s first talk about what is Obfuscation:

Obfuscation (or beclouding) is the hiding of intended meaning in communication, making communication confusing, wilfully ambiguous, and harder to interpret.

So from this the key thing to take away is that Obfuscation means that it makes it difficult to interpret. Now let’s look at what the definition of encryption:

In cryptography, encryption is the process of transforming information (referred to as plaintext) using an algorithm (called a cipher) to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key.

So encryption makes data “unreadable” whereas obfuscation makes it “difficult”. That is a good start for a definition but these lines are somewhat gray. There are ‘encryption’ systems that have proven weak such as DES. So if I can decrypt cipher-text encoded by DES, does that mean DES is just Obfuscation? Hrmm. Well if you look at this another way, even strong algorithms (AES, PKI, etc) can be brute forced given infinite time and resources. So does this extend to these algorithms as well? Are then all encryption algorithms just a means of obfuscation at varying levels of difficulty? Well strictly speaking yes; however, the level of difficulty to brute force AES is so far past our current abilities that it is, for now, unbreakable.

So what is Obfuscation?
If we intend to differentiate Obfuscation from Encryption we need a better definition for both. The above definitions are Wikipedia’s, here is what I would add:

Definition of Obfuscation: A process applied to information to intentionally make it difficult to reverse without knowing the algorithm that was applied.

In other words, knowing the process or algorithm that was used makes obfuscation significantly easier to decipher. Any of the examples in the lifehacker article are subject to this. Once I know the basic idea behind your obfuscation technique it’s easy to defeat. Take for example a letter substitution table. Let’s say we assign each letter to another random letter, a=j, b=f, c=u, etc. Now encode this post with that substitution table. It would be a trivial thing to decode even without knowing your ‘secret’ letter substitution table. Why? well just google it: letter substitution solver.

So what is encryption?

Definition of Encryption: A process applied to information that, even knowing the algorithm applied, requires a secret (key) to reverse it in a reasonable amount of time.

There now that seems to fit, even cryptographically weak algorithms like DES fit this description. They make it hard to decipher even knowing the algorithm applied unless you have the key. So this helps delineate the differences between obfuscation and encryption. Even if you use something that fits into the encryption bucket that does not make you’re data secure.

Measuring data security:
Data or information security is measure in time and each of the encryption algorithms we use have a measurable amount of time it would take to break them. This ‘time’ assumes no weaknesses in the key generation or the implementation algorithm. (Note: I’m not interested in chosen plain-text, related key, side channel, and other attacks that rely on behavior of the implementation, I’m talking about cipher-text at rest). This time can and does change, computers become faster, weaknesses in the algorithm itself are exposed, etc. This is very similar to what happened to DES in 1997, things change and what had seemed impossible suddenly became very feasible.

Ultimately no data is ‘perfectly secure’ even using a very good algorithm like AES. You should be aware that most of the time you’re data is more at risk from weak passwords that are used to create an encryption key rather than from weaknesses in the algorithm itself. This is why there are 100′s if not 1000′s of ways to crack winzip passwords. When passwords are not involved the generated pseudo-random keys require storage (you can’t remember it) and therefore the security of that storage location becomes the problem (see Keep it secret, Keep it safe).

Using a Personal Encryption Scheme?
Now back to the story we started with, How to Create a Personal Encryption Scheme to Easily Hide Your Data in Plain Sight. This, as I’ve already said, is a REALLY bad idea. So what should you do? There are 100′s of “Secure Note” applications for almost every platform still in use today. Pick one that allows full text passwords (not 4 digits) and use it. Anything that uses 4 digits is insecure by design having only a keyspace of 10,000 unique possibilities. By contrast, modern cryptography has a keyspace of at least 2^128 or 340,282,366,920,938,463,463,374,607,431,768,211,456 unique possibilities.

Hey guys, what have you heard about CLOUD computing? Sure you must have heard something, don’t say no, it has become very popular in last 3 or 5 years. These are the things I heard,

-“The Internet Industry Is on a Cloud”

-“Federal CIO Scrutinizes Spending And Eyes Cloud Computing”

-“Cloud Computing Something We Absolutely Have to Do”

-“I had a customer tell me there’s a rainstorm coming, that there will be all these clouds and none are going to talk to each other”.

Imaginary Cloud

Aren’t these statements making you curious, the word CLOUD , the way people speak about it?

Our world today expects,

Agility/flexibility of technology(User-friendliness)

Real time information and immediate feedback

If you accept…

– There is an unquenchable thirst for collaboration and sharing

– Need of a technology which will allow us to work from anywhere at any time using any device – highly mobile workforce

Then…

– How do we achieve mission assurance on the same network?

– How do we ensure the network is there when we need it?

– What approach should we take?

To achieve these

– New distribution channels

– Early warning through the blogosphere

– Dynamic, ad hoc sharing and collaboration

To Achieve solutions to all these complex problems,
We now finally come to the technology

CLOUD

A style of computing where massively scalable (and elastic) IT-related capabilities are provided “as a service” to external customers using Internet technologies is called the CLOUD.

The “Cloud Concept” built upon the three pillars of current computing system such as “Infrastructure”, ”Platform” and the “Software” or applications.

The business benefit of “Cloud” is, its’ use to provide “On demand Service” which helps to full fill the demand of chain execution can be the cause of reducing expenses of implementation of multiple processing units.

Cloud provides the concept of updating of resources without affecting the underlying infrastructure, which reduce the need of backup system and encourage the continuous execution of application.

Cloud provides potential “Reliability” and “Scalability” for the applications either deployed or are running on cloud.

Since, cloud use to assure out most security for any business application, it provides a “Private Cluster” for each application.

Also we can say CLOUD as Infrastructure provided by the service provider to build internet application.

These are the services provided by cloud are categorize

> Software As a Service(SaaS)

Here we can use software that are pre installed in the cloud, so that we don’t have to install the software in our pc and waste spaces.
Eg:- Microsoft’s OFFICE 365 (MS OFFICE ), this application is hosted on the cloud so if the customer needs to use it he can visit the site and can use the app online.Other similar applications are mail clients(Gmail, yahoo mail and many others)

> Infrastructure As a Service(IaaS)

This means providing, working environment virtually using cloud. That means we can gain access to a virtual device in cloud which is similar to hardware to achieve our task. Eg:- We can use Apple Iphone virtually even though we don’t have it in our hand.Similarly there are virtual Desktop and many other devices too, according to the service provider and purpose this changes.

> Platform As a Service(PaaS)

Here platform is provided to the user, so he does not have to worry about the platform.So this is platform independent.So you don’t have to worry about whether it will support Linux, Windows or Mac.All you need is a web browser.

> Database As a Service(Daas)

Here we are storing all our data in CLOUD(Actually in a Server), so we don’t have to store the data in our pc, which is less secure and may be lost if some problem occurs, like system crashes.So by storing our data in CLOUD Database we can save space, and can avoid unwanted problems.

> Software plus Service

Software plus Service is similar to SaaS, but it has some extra features, like payed users will have more, access options or similar extra facilities.

Out of these SaaS, PaaS, IaaS are the main Services.

So this is the basic over view of CLOUD computing.
Hope You Guys Got Some things out of this Post…..!